SabreTools/BinaryObjectScanner
1
0
Fork 0
mirror of https://github.com/SabreTools/BinaryObjectScanner.git synced 2026-02-11 05:35:15 +00:00
Code Issues 295 Packages Projects Releases 20 Wiki Activity
Files
008e1ad27bc6629d2bebc952ae43ac35dfb8a6fa
BinaryObjectScanner/BurnOutSharp.Models/PortableExecutable/AttributeCertificateTableEntry.cs
Matt Nadareski 54082c1fce Add PE attribute certificate table
2022-11-05 21:02:30 -07:00

64 lines
3.2 KiB
C#
Raw Blame History

namespace BurnOutSharp.Models.PortableExecutable
{
/// <summary>
/// Attribute certificates can be associated with an image by adding an attribute
/// certificate table. The attribute certificate table is composed of a set of
/// contiguous, quadword-aligned attribute certificate entries. Zero padding is
/// inserted between the original end of the file and the beginning of the attribute
/// certificate table to achieve this alignment.
///
/// The virtual address value from the Certificate Table entry in the Optional
/// Header Data Directory is a file offset to the first attribute certificate
/// entry. Subsequent entries are accessed by advancing that entry's dwLength
/// bytes, rounded up to an 8-byte multiple, from the start of the current
/// attribute certificate entry. This continues until the sum of the rounded dwLength
/// values equals the Size value from the Certificates Table entry in the Optional
/// Header Data Directory. If the sum of the rounded dwLength values does not equal
/// the Size value, then either the attribute certificate table or the Size field
/// is corrupted.
///
/// The first certificate starts at offset 0x5000 from the start of the file on disk.
/// To advance through all the attribute certificate entries:
///
/// 1. Add the first attribute certificate's dwLength value to the starting offset.
/// 2. Round the value from step 1 up to the nearest 8-byte multiple to find the offset
/// of the second attribute certificate entry.
/// 3. Add the offset value from step 2 to the second attribute certificate entry's
/// dwLength value and round up to the nearest 8-byte multiple to determine the offset
/// of the third attribute certificate entry.
/// 4. Repeat step 3 for each successive certificate until the calculated offset equals
/// 0x6000 (0x5000 start + 0x1000 total size), which indicates that you've walked
/// the entire table.
///
/// Attribute certificate table entries can contain any certificate type, as long as
/// the entry has the correct dwLength value, a unique wRevision value, and a unique
/// wCertificateType value. The most common type of certificate table entry is a
/// WIN_CERTIFICATE structure, which is documented in Wintrust.h and discussed in
/// the remainder of this section.
/// </summary>
/// <see href="https://learn.microsoft.com/en-us/windows/win32/debug/pe-format"/>
public class AttributeCertificateTableEntry
{
/// <summary>
/// Specifies the length of the attribute certificate entry.
/// </summary>
public uint Length;
/// <summary>
/// Contains the certificate version number.
/// </summary>
public WindowsCertificateRevision Revision;
/// <summary>
/// Specifies the type of content in Certificate.
/// </summary>
public WindowsCertificateType CertificateType;
/// <summary>
/// Contains a certificate, such as an Authenticode signature.
/// </summary>
/// <see href="https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#certificate-data"/>
public byte[] Certificate;
}
}
Reference in New Issue View Git Blame Copy Permalink